Target Locked the Front Door but left the Windows Open

Target was in the news again last week when it was announced that the way hackers exploited Target’s point of purchase software was through one of their vendors – Fazio’s Mechanical Service, a heating and cooling service provider from Sharpsburg, Pa. I have written several times about Supply Chain Risk and Fraud in the Supply Chain, but this instance of one of the largest data breaches in history is a great lesson to ALL of us how Cyber fraud and supply chain are intertwined.

CyberSource’s 2013 On Line Fraud Report (Online Payment Fraud Trends, Merchant Practices and Benchmarks) stated that in 2012 there was $3.5 billion in online fraud. So how does a company like Target with an extensive security budget get hacked by one of their vendors? Through the one ‘system’ that is hardest to control – our associates and suppliers.

Human behavior is in many respects predictable. It is this very predictability of behavior that a fraudster relies upon to gain access to an account. Fraudsters, confidence men like Madoff, and cyber crooks depend on the predictability of their marks to help them with their schemes.

Cyber fraudsters follow several steps. First, a malware coder is hired, many times by organized crime, to write a code to exploit a particular system and extract information from a targeted system through the use of a ‘Trojan Horse’. The term “Trojan Horse” comes from a Greek myth, in which the Greeks presented a giant wooden horse to the Trojans as a peace offering. However, a nasty surprise awaited the Trojans as Greek soldiers sprung out of the hollow horse and captured Troy. Similarly, a Trojan horse program presents itself as a useful program, while it actually causes havoc and damage to your computer.

Sometimes the victim is known beforehand, and the malware is written for a specific company. Other times, the malware is written for a specific software and the fraudsters go after companies who have that software. It could have been either of these scenarios – or a combination of both – that put Target in the cross-hairs of these fraudsters – the volume of transactions and the time of year targeted were not a coincidence.

Cyber fraud could happen to almost anyone. A CEO of a well-known company infected his own system when he opened an email on Facebook with a ‘picture’ that read “I can’t believe how young we were’ and the picture came from a name that resembled a classmate. This is the second step of cyber fraud; get the malware into the hands of an access point. The ‘picture’ contained a malware for capturing passwords and email. The CEO was targeted through a process called ‘spear phishing’- where a specific individual of a company is targeted for a specific reason. This malware would lead to the breach of his company’s treasury and banking software. (See related Firestorm Article: Show this Video to Your Students, Co-workers, Children – Everyone – The Social Media Experiment)

The fraudster had gone online, through the CEO’s own company web site and found a bio with the CEO’s college, Googled the school’s newspaper, found an article including the CEO’s fraternity, and downloaded a photo from the school’s archive of the fraternity for the years while the CEO attended college. With names off of the picture, the cyber-criminal then created a fictitious Gmail and Facebook account, and forwarded the ‘picture’ file to the target CEO. The fraudster bragged to authorities that it took him less than one hour to do this, and within a day, the CEO had opened the file.

The file gave the fraudster access to the CEO’s company email and passwords. Then, using the CEO’s email he sent an email to the treasurer which said “Read this and get back to me immediately”- that file held the malware for the banking system, the third step. The treasurer opened the email immediately- just as the fraudster expected. How many of us would react in a similar way? This led to the fourth step, the banking credentials were siphoned.

There are several more steps, but the fact is, the CEO opened the door himself through poor practices. The company spent millions on IT security effectively padlocking the doors, but the CEO opened the windows!

How many times have we been told “Don’t open emails from people that we don’t know”. Well, fraudsters know that as well. How many DHL direct emails have you received about the package that couldn’t be delivered? Or notices from American Express, or a major bank (some which you do not even bank with) sending you urgent emails.

I know a seasoned executive who has not only infected his computer once through these scams, but more than once! I asked him ‘did you have a package with DHL?’ and he answered “No! That’s why I wanted to know what wasn’t delivered’!

Fraudsters know this behavior and expect it – no, depend on it – to implement their fraud. Now imagine this scenario at one of your suppliers; no matter how sophisticated your organization may be, your suppliers and business partners, and their families may be leaving the windows open.

How are the controls at your company? OK, now how good are they at your suppliers? And their suppliers?

Here are 5 things that you can do today to help protect you and your company from these cyber-attacks:

You have to assume that there will be a breach. As such, limit the ability of companies to have access to your key systems.

Insist that not only does your company carry Cyber Fraud insurance, but insist that anyone who conducts electronic business with you has insurance as well. Ask for a certificate of insurance with appropriate limits.

Insist on passwords be at least 12 characters and include numbers, upper and lower case as well as characters. And change these passwords frequently.

Conduct effective and frequent fraud training of your family, and company associates in the areas of cyber security. Yes, I said your family! Your kids or elderly parents can infect your computer as easily as you can. Email me at [email protected] and I can share with you how I do this! It’s fun and easy!!

Test your systems and your suppliers system. Use a data breach firm to conduct vulnerability assessments. Use a firm which specializes in this area. Consult a Certified Fraud Examiner and they can help you find reputable firms.

Don’t lock your door and leave the windows open! Understand and prepare for your next cyber-attack. If you want a fraud assessment for your business, feel free to contact me.

Firestorm has worked with hundreds of businesses, organizations and schools to keep tens of thousands of employees, customers and students safer. Firestorm provided crisis management and crisis communications services to Virginia Tech after the shootings, and more recently to Littleton, CO, Roswell, NM and Jefferson County School District in Colorado (location of Columbine) among others.

HEADQUARTERS

In a Crisis now? Call us: 770-643-1114

“What should we do now?” “What should we say?”

How you answer the question “What should we do now?” can have far reaching implications for your company or organization. Preparedness and Resiliency are key brand attributes for every company. Crises come as surprises. Control of events and message are lost. Impacts accelerate. Public scrutiny intensifies.

Are you ready? How do you know? Are you sure?

Most executives are trained to make decisions based upon information, data, and policy.

In a crisis,

Information is generally wrong

Data is not available

Policies do not exist

Command & Control is lost

Brand & reputation are under attack

Leadership is involved and engaged personally

Impacts are disproportional

Events are escalating

Speed is quality or even survival

You are the center of media focus

The above dynamics work aggressively against traditional empirical management decision processes. Decisions must be made quickly with limited and often incorrect information.

A crisis is not business as usual. A crisis is business as unusual.

Crises have a short duration, but have consequences that can determine the viability of a business or organization for years to come. If you are explaining, you are losing.

Crises have impacts – for good and bad. Every crisis starts with a combination of opportunity and danger. Where the risk/crisis conundrum balances depends upon your initial critical decisions, your crisis communications, your monitoring of events, and your adjustments made to strategy and actions as events develop. Your company’s reputation, brand, legacy, and profitability hang in the balance in a crisis. Crises are personal. Every crisis is a human crisis. It is your company. It is your people. It is your brand. It is your reputation. It is your career. Doing the wrong thing or doing nothing can create a point of no return.

We Help Clients Take Control of Crisis

In crisis, we assist senior management in developing or implementing a Crisis Management Plan. We provide advice and insight to help managers make crucial decisions, and communication experts to assist with social media communications and public relations. Our Senior Team is ready to help your senior team.

Don’t Let Your First Response Become Your Second Crisis

As the leading crisis management company, our founders, executives, principals, and Executive Council are available to assist as needed. We put together the right team for you.

Call Us Today for a free assessment and discover how we can help in calm and in crisis. 770-643-1114